What is Risk Identification? [+Free Template]
Published: March 24th, 2021
Author: Matthew Quinn
Categories: Risk Assessment Risk Management
In this article we will look at Risk Identification – the first stage of a risk assessment. We cover the other stages, Risk Analysis and Risk Evaluation, in separate articles.
In addition to explaining the process of risk identification, this article will also outline some risk identification techniques. That is, methods you can use to identify risks your firm faces.
To help you get started, we are also providing a free Structured What If Technique (SWIFT) template, which you can use to help populate your risk register!
What is Risk Identification?
The purpose of risk identification is (per ISO 31000) “to find, recognize and describe(the) risks” faced by your firm.
In other words, it is the process by which you discover, and then accurately describe and record, individual risks. The result of this work will be an ongoing list of risks (as captured in your risk register).
The vast majority of organizations will be doing this in some form. Every CEO knows their business faces ‘some’ risks. But it is often ad hoc and the information gathered is incomplete.
A formal risk identification procedure aims to correct this.
As mentioned before, risk identification is the first stage of a broader risk assessment process.
Once you have identified the risk you face, you can then analyze (i.e. score) and evaluate (i.e. decide what to do) them. All of these activities help build your overall risk management plan.
What sort of information should I collect?
One of the main things you are aiming for when identifying risks is completeness; you want to capture the risk you face ‘in the round’.
ISO 31000 (Risk Management – Guidelines) notes that:
“Relevant, appropriate and up to date information is important in identifying risks.”
A failure to identify ‘all of the risk’ (for want of a better term) can lead to problems further down the line and hinder effective risk management. For example, you may end up scoring (as part of the analysis stage) the risk too high, and embark on a costly mitigation process (when the actual level of risk faced was much lower).
Of course, it is impossible to always capture all of the relevant information. There will be times when your risk identification process misses things. But the aim is to try and be as complete as possible. (When you do make mistakes, be sure to conduct a lessons learned exercise to understand why.)
But what sort of information should you be collecting? What counts as relevant and appropriate (up to date should be easier to handle)?
As a start, ISO 31000 suggests the following factors, and the relationship between these factors, should be considered:
-tangible and intangible sources of risk;
-causes and (risk) events;
-threats and opportunities;
-vulnerabilities and capabilities;
-changes in the external and internal context;
-indicators of emerging risks;
-the nature and value of assets and resources;
-consequences and their impact on objectives;
-limitations of knowledge and reliability of information;
-time-related factors;
-biases, assumptions and beliefs of those involved.
As should be clear, these are topic-neutral factors, they apply to different kinds of risk (e.g. IT project risks or operational project risk management).
From this list it should also be clear why risk identification such a critical part of the risk management process. As mentioned above, a failure to gather as much of the appropriate information as possible can leave you in a difficult situation later on.
This being the case, how should you ensure your collecting all this information you need?
Risk Identification Techniques
This is where risk identification techniques come in to play. Methodologies like SWIFT and the Delphi technique are designed to help you gather as much (relevant) information as possible.
These techniques aren’t infallible. How effective they are is, to a large extent, down to those using them (i.e. the risk project teams & project managers).
(As a side note, this holds more generally too, the better trained and resourced your team, the better you will manage the risks your organization faces.)
There are a variety of risk identification techniques your organization could use. Which you end up using depends on a range of factors. For example, some techniques are better for identifying qualitative risks, others for quantitative ones.
Note that certain techniques also require specially trained practitioners, meaning they will not be appropriate for more ‘general’ users.
For those new to the topic, we would recommend using SWIFT. It uses an intuitive ‘question and answer’ format to help you identify your risks. It is also subject matter agnostic, so you can use it for a variety of different kinds of risk.
The technique also has the added benefit of being usable for the entire risk assessment process (including risk analysis and risk evaluation). Meaning you will not need to switch from technique to technique as you progress.
If you would like to see whether SWIFT could be helpful to your organisation, please download our free SWIFT Template below.
Summary
Hopefully, you are now a little clearer on what risk identification is, and how it fits into the broader risk assessment process.
Though this topic can seem a little daunting, at root, it is simply about gathering the right sort of information (which you can then use to understand your risks in more detail).
If you would like to discuss the topic with a member of Apomatix’s team, please feel free to book a meeting with our Head of Operations.